Bug 1173558 (CVE-2020-5968)

Summary: VUL-0: CVE-2020-5968,CVE-2020-5972,CVE-2020-5971,CVE-2020-5970,CVE-2020-5969: nvidia: vGPU issues
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/262648/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-07-01 08:01:52 UTC
CVE-2020-5968

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
the software does not restrict or incorrectly restricts operations within the
boundaries of a resource that is accessed by using an index or pointer, such as
memory or files, which may lead to code execution, denial of service, escalation
of privileges, or information disclosure. This affects vGPU version 8.x (prior
to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).

CVE-2020-5969

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
it validates a shared resource before using it, creating a race condition which
may lead to denial of service or information disclosure. This affects vGPU
version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior
to 10.3).

CVE-2020-5970

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
an input data size is not validated, which may lead to tampering or denial of
service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to
9.4) and version 10.x (prior to 10.3).

CVE-2020-5971

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
the software reads from a buffer by using buffer access mechanisms such as
indexes or pointers that reference memory locations after the targeted buffer,
which may lead to code execution, denial of service, escalation of privileges,
or information disclosure. This affects vGPU version 8.x (prior to 8.4), version
9.x (prior to 9.4) and version 10.x (prior to 10.3).

CVE-2020-5972

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
local pointer variables are not initialized and may be freed later, which may
lead to tampering or denial of service. This affects vGPU version 8.x (prior to
8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5968
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5972
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5971
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5970
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5972
https://nvidia.custhelp.com/app/answers/detail/a_id/5031
Comment 1 Stefan Dirsch 2020-07-01 12:10:17 UTC
We don't package the NVIDIA Virtual GPU Manager, let alone provide it to our customers through any repository located on our or NVIDIA's place. I consider this bug INVALID.
Comment 2 Wolfgang Frisch 2020-07-01 12:18:14 UTC
Invalid.